Exposing public corporate cock-ups is not "hacking"

Here's Ryan Tate, the first writer to cover AT&T's massive iPad data leak, on the "hacking" conviction of Andrew “Weev” Auernheimer for exposing it in the first place: "The scapegoating of Auernheimer is revolting for two reasons. One, it lets AT&T off the hook for exposing sensitive information to public view, shifting the blame onto those who reported the slip-up, and discouraging future disclosure. Two, the jailing of Auernheimer criminalizes the act of fetching openly available data over the web." Previously.

If it’s not any more difficult than typing a URL, then it’s a crime for it to be a crime. Way back in 1997, my friend and I used the same ISP in Spain, which provided web-based access to upload your own website. My friend noticed that once you created a sub-folder, it basically let you navigate ‘up’ to the complete list of user folders, then ‘down’ into any user folder you liked… with full rwx access. Many oldschool lols were to be had the day I looked at my site and found the whole thing to be surrounded by blink tags. Should he spend 4 years in jail for it? I don’t think so.

Maybe not 4 years in jail, but I don’t think a fine and a hundred hours or so community service would have been out of place. Vandalizing something just because there’s no fence around it isn’t alright.

Would you rather a security flaw be exposed by a hacker who is trying to draw attention to a potential risk, or people go “uh-oh, I could get in trouble for that, better leave it alone” and only gangsters, foreign spies, terrorists, malicious kids etc. etc. take advantage of the security flaw?

If my front door was unlocked and open and I saw some kid standing in my front room going “wahh whahh wahh you left your door unlocked!” I’d be happier than finding a burger with a knife, you know?

Check the comment I’m replying to – it’s specific to the example of someone defacing websites for lulz, just because the shared hosting provided didn’t properly isolate user content.

This isn’t a hacker reading a file, maybe adding an HTML comment (not rendered in the browser) to confirm the ability to write, maybe getting permission from a fellow service user to do a demo hack on their site, and in any case contacting the service provider so they can fix the problem.

He didn’t vandalize it. Vandalism involves some sort of destruction or defacement.

What he did was equivalent to writing a web spider that uses the way that web server software is written to go find all the web pages on a server and then index them. That’s not illegal. It’s just using the software the way it was written. He didn’t destroy anything. He wrote a script that used the software that AT&T wrote.

See above – follow the whole thread. The comment you reply to, is itself in reply to a comment, and the actions I refer to as vandalism are the ones described in that comment (and done by someone else, not Weev).

The internet is not a dump truck; web servers are not doors.
A web server is a machine that’s set up to respond to requests; it’s kind of like a bank teller. AT&T, because they’re incompetent, set up their web server so that, when it received a serial number in a request, to respond with a phone number. That can’t have happened by itself; AT&T had to consciously set up the web server, consciously connect it with a database of phone numbers and consciously tell the server to respond the way it did.

The “door” metaphor is inaccurate; it probably applies better to a SQL injection attack.

A better metaphor is walking up to a bank teller, saying “Hi, what’s Cory Doctorow’s bank balance?”, then asking “What’s Rob Beschizza’s?” etc. It’s not your fault that the bank “configured” its employees to disclose private facts to anyone who asks.

A more apt analogy – if you leave your curtains open and light on at night, does that mean it is okay for someone to look in your window from a place they are allowed to be (not jumping your fence and putting a ladder to your wall to get a better view)?

The answer to that one is, yes – and if you are going around naked in those circumstances, those who see you will not be charged as peeping toms, but you may be charged with indecent exposure.

If you leave your curtains drawn and decide to get undressed and someone sees you, that person is not violating any laws. In fact, if that someone were a police officer, he could fine you for public indecency or something similar. In the case of AT&T, they should have received some punishment for violations of their own privacy agreements with their customers.

In this case, however, a person looked in, went to let them know the window was open, and was charged with rape. Well, except he’s getting a harsher punishment than rapists, apparently.

Perhaps one of the lessons is that if your goal is to be a white-hat hacker & expose (as opposed to exploit) security weakness, perhaps you should just poke at the problem (e.g., access a few email addresses by way of example) as opposed to wholesale slurping (e.g., accessing 100,000 email addresses).

I hadn’t meant to imply that Weev would have a get-out-of-jail-free card if he hadn’t gathered 100k names. Sure, if a law applies to doing it 100k times, then clearly it also applies to doing it 1 time. However, at least for me there is a difference. I have a lot more sympathy for Brad Hill and would easily believe he had the best of motives. With Weev, I can’t fault someone for wondering if perhaps there was some reason why he went to the effort of collecting so much data.

It’s not even really comparable – Brad Hill didn’t even do a dubious thing 1 time. The thing that Weev did – obtaining information he probably shouldn’t have had – Brad did exactly 0 times. And still he was threatened with crushing legal action.

Setting aside the joy of nitpicking, do you really think there wouldn’t have been a difference in whether the prosecution moved forward or the severity of the sentence if Weev had only accessed one email address?

Prosecution maintains that Weev publicly disclosed the vulnerability before informing AT&T about it, and that there are IRC chat logs proving that Weev and his buddy did the job to make AT&T look bad and improve their own reputations.
Weev said on Twitter that he gave AT&T a chance to respond before disclosure.

So what exactly happened? Why convict if Weev, provably, informed AT&T of the problem before releasing anything about it? And does Weev’s intent matter if he properly informed AT&T?

Jailing someone for HTTP GETs is ridiculous. URL ‘hacking’ can be done accidentally by noobs. Jailing someone for publicly releasing sensitive personal information or a security vulnerability before AT&T had a chance to patch it is not so ridiculous.

The point is, large companies have a well-earned reputation for not giving a fuck about security breaches when ‘little people’ tug on their coatsleeves and tell them about it. Because it would hurt their bottom line to fix it, and it doesn’t need fixed cos nothing bad’s happened, right? That really, really is how they think. And then someone embarrasses them and hurts their bottom line and they go into full attack mode. Because… actually, I don’t know why because.

I agree completely. What I am asking is, in Weev’s case, did he really give AT&T the chance to fix the problem before going public with it? If he didn’t at least give that cursory tug on the sleeve, he was wrong to release anything. I have NO problem with security vulnerabilities being released if they’re reported to the company and the company ignores it first. I do have a problem with active vulnerabilities being released on the internet where real evil-doers can get at them without a chance for the vulnerability to be addressed first.

Weev said he told AT&T about it, AT&T (and presumably the court that convicted Weev?) say he didn’t.

In one case, I’d disagree with the conviction, in the other I wouldn’t. I’m willing to believe that Weev did the right thing, but I find it just as easy to believe that he’d stick it to AT&T for the fun of it. I can’t find evidence either way, only contradictory information in news articles. I’m just curious if anyone out there can claim to know the real story.

I think it sets a bad precedent. I’ve occasionally written scripts that pull files off websites by enumerating URLs, which is the same thing that Aaron Schwartz did. Fortunately I picked people who don’t monitor their traffic too closely. I think the bar for criminal prosecution needs to be raised somewhat. AT&T are responsible for securing the data they process, and their lapse has gone unpunished. Perhaps a civil suit could be filed against URL hackers to recover expenses dealing with the fallout, but jail time and a criminal record seems disproportionate.

Yknow, if I had the Secret Key to the Internet, I don’t think I would tell anybody. I would try it out behind 47 layers of proxies and crypto-thingamajigs, and if it was for real I would have a long hard think. Will I use this gizmo to rob banks? Will I disclose it to somebody who can patch it? Or will I post it on 4chan and say, “Have at it, boys!”

But regardless, I would be very very careful about leaving clues to my identity. I do not wish to be a celebrity, especially the kind behind bars.

Gosh. It makes me reconsider my actions ‘hacking’ around ft.com’s paywall. I was, however, careful not to tell anyone else how to do it. I’m not a hacker. It’s something my mom could do. (She’s nearly 80 and thinks Facebook is the internet.) For the record, I didn’t actually do the ‘hacking.’ A giant US mega-corporation did the hacking (for profit), I simply took advantage of it to ‘steal’ the FT content and store it in memory. I have not profited from the knowledge I’ve gained – just become more depressed.

Note: this is a true anecdote that is phrased to make it sound criminal and intended as an ironic parallel. If it were criminal we’d have to ban search engines.